Microsoft Moves Against Bad Passwords

With the scourge of digital credential theft on the rise Microsoft is urging IT admin to button-up their networks and get serious about passwords and account security. The IT behemoth posted on Tuesday a best practices cheat sheet for administrators along with updating customers on some of the company’s latest security tools for keeping accounts safe.

Microsoft wrote in a blog post by its Active Directory Team that it is responding to last week’s revelation that a 2012 LinkedIn data breach compromised 117 million user credentials. The fallout from the LinkedIn breach is that tens of millions of those usernames and passwords could possibly be used to unlock other accounts. That, security experts say, should strike fear in the hearts’ of IT administrators.

But according to Robyn Hicock, a program manager on Microsoft Identity Protection Team, with good account hygiene a breach similar in size to LinkedIn’s shouldn’t have CIO biting their nails. Hicock, who penned Tuesday’s whitepaper about good account practices (PDF), said follow Microsoft’s suggestions and companies can avoid the collateral damage of compromised credentials that comes with massive data breaches.

For starters Hicock said take everything you thought you knew about passwords, and think again.

She said common approaches to password management don’t work, such as IT admins who enforce requirements on password length, complexity and impose regular and periodic password expirations.

These above requirements actually make passwords easier to crack, she said. “Why you might ask? Because humans act in pretty predictable ways when faced with these kinds of requirements,” Hicock wrote.

Requiring the use of multiple character sets is counter intuitive to good password hygiene because most people use similar patterns when using them. She said forcing users to change their passwords frequently also doesn’t make passwords more secure because people too often just use one bad password after another.

Also not making passwords more secure was increasing their length. “Passwords greater than about 10 characters can result in repeating patterns like fourfourfourfour or passwordpassword,” Hicock wrote. Passwords longer than 10 characters are even worse because people are more apt to re-use them across other accounts and or store them in unencrypted documents on their PC or in the cloud.

For these reasons, Microsoft has stepped up its practice of banning bad or common passwords.

“We see more than 10 million accounts attacked daily, so we have a lot of data about which passwords are in play in those attacks,” Hicock said.

Microsoft has added a feature called Dynamically Banned Passwords to its Microsoft Account Service platform that prevents users from choosing a common password. Microsoft said it will be adding the features to Azure Active Directory customers in private beta form “over the next few months.”

“When it comes to big breach lists, cybercriminals and the Azure AD Identity Protection team have something in common – we both analyze the passwords that are being used most commonly. Bad guys use this data to inform their attacks,” Hicock wrote.

That’s when Microsoft’s second password protection measure kicks in called Smart Password Lockout. As the name suggests, this feature will lockout and lock up an account that an unknown user is trying to access. At the same time, the genuine account holder will be alerted to the fraudulent attempt to access the account, but would not be locked out. Microsoft said it does this by “determining the risk associated with a specific login session.”

“More than half the time, we keep hackers from disrupting you or your users,” Hicock wrote.

Of course the most important point here is good passwords are vitally important. Topping that list is to ban the use of common passwords that are easy pickings for brute force attacks. Other suggestions for good password hygiene include:

Also need to update IT auditors. External It auditors, even for financial audits, consistently look for password complexity, expiration, and length as part of their controls checks. If these aren’t set you get a finding that goes to your executives or board who then come back and question why you aren’t implementing “good practices”.

The audit world lives for textbook IT controls and is unfortunately slow to be receptive to practical solutions to real threats. Without a change there, efforts made may be unraveled in favor of “book smart” folks.

Deloitte, one of the “big four” global accounting firms, admitted it fell victim to a cyber attack last year but downplayed the incident on Monday saying it only affected a few of its high profile clients.